Quantum key distribution between two groups using secret sharing 
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In this paper, we investigate properties of some muhi-particle entangled states and, from the 
properties applying the secret sharing present a new type of quantum key distribution protocols 
as generalization of quantum key distribution between two persons. In the protocols each group 
can retrieve the secure key string, only if all members in each group should cooperate with one 
another. We also show that the protocols are secure against an external eavesdropper using the 
intercept / resend strategy. 
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I. INTRODUCTION 

The computational power of quantum computers has 
threatened classical cryptosystems. For example, public 
key cryptosystems, such as Rivest-Shamir-Adleman pub- 
lic key cryptosystem Q , can be broken by quantum com- 
puters to be able to perform the fast factorization. On 
the other hand, quantum mechanical phenomena provide 
us a new kind of cryptosystems, called quantum key dis- 
tribution (QKD), from which we can in principle obtain 
perfectly random and secure key strings. 

The first quantum cryptographic protocol was pre- 
sented by Bennett and Brassard Q and their protocol 
bore the acronym BB84. In 1991, Ekert proposed a 
QKD protocol using entangled particles. It was modi- 
fied by Bennett, Brassard, and Mermin Let us call 
the modified version the Einstein-Podolsky-Rosen (EPR) 
protocol. The EPR protocol is a QKD between two per- 
sons using an EPR pair of spin i particles in the state 
7l(|00) -f 111)). 

Using the Greenberger-Horne-Zeilinger (GHZ) state 
-^(|000) -I- I 111)) the secret sharing protocol was pre- 
sented by Hillery, Buzek and Berthiaume ld| . In this pro- 
tocol, Alice distributes the information on a key to Bob 
and Charlie. And the key can be restored only when their 
information are collected by them. 

In this paper, applying the secret sharing protocol, we 
generalize the EPR protocol on noiseless channels by the 
properties of several cat states and then obtain QKD 
protocols between group A and group B. In each group 
the information of a secret key is distributed to all mem- 
bers. After the process for recovery of the key, the two 
groups get the secret key. And the protocols require each 
member's approval and cooperation. Furthermore, when 
some members try to affect the shared bit adversely, if 
the shared key does not have the correct correlation (or 
anti-correlation) then it should be revealed to others in 
the test step. Any external eavesdropper should also be 
detected even if several members assist the eavesdropper. 

This paper is organized as follows: In Section 2, we 



investigate some properties of several cat states. The 
QKD protocol between two groups and its modification 
are presented in Section 3. We analyze the security for 
the protocol in Section 4. 



II. NONORTHOGONAL CAT STATES 

Let us begin with reviewing cat states ^j. The t- 
particle cat state is defined as a entangled state of the 
type 



±Q$)I<) 

i=l 



(1) 



whereby Ui stands for the binary variable in {0, 1}, and 
— 1 — Ui. Furthermore, Equation |^ becomes one of 
the Bell states when t = 2 and one of the GHZ states 
when t = 3. 

From now on, we use the following several cat states: 



|A?) 



= ;^(0li|O)±(8)U|l)) (2) 
;^(0:=i|O>±z(8)L|l». (3) 



We define |0)^ = |$+), |1)^ = |0>,, - |A+), and 

|i>.-|Ar). 

For n = fc -I- ^ , we notice the states in Equation Q and 
Q have the following relations: 



\ n / 
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-7-AH)A\'^f)B + K.)A\'^f)B) (4) 

-7i(K)aI^^)b + |Aa:)Ja±)J, (5) 

= 7l(K)Al<f^)B + |Anj*r)B)- (7) 



When G is a group of t persons, assume that, for one 
of the above four cat states, each person takes its one 
particle and measure in the x- or y-direction. Firstly we 
let J\f^ be the number of members modulo 4 who measure 
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in the y-dircction, Ai'? ^ 



and the sum of the 



measurement outcome of all members modulo 2. Then 
the following results are obtained. 

(a) Suppose J\f^ is even. Then V'^&M'^ is for |$+), 
and it is 1 for \^^), where a (B b = a + b (mod 2) 
for any a,b gN. 

(b) Suppose JV^ is odd. Then V^®M^ isO for |A+), 
and it is 1 for |Aj"). 

Also, it is noticed that if the above suppositions of J\f^ 
are not satisfied, 7"^ ® M'^ becomes or 1 with proba- 
bility ^ i.e. it has no rules. 

Using an induction on t the proof of such facts is given. 
To begin with, for i = 1 it is trivial. Assume that these 
statements are true for t — 1. The cat state \^t) is con- 
sidered. Let Af^ be even. Equation Q implies 



|$+) = i=(|o)J<i>+,) + |l)J$-_,)). (8) 

If any one member takes measurement in the x- 
direction and obtains then Afy = My and My will 
be even, where G' is the group of all members except 



that member. From Equation © Mi'^ 







V 



Thus ® 
M'^ ®V^' = 1 by 



and 



0. Otherwise, 



and = r 



G' 



1. Thus 



M':;®V^ = 0. 

On the other hand, for the case that the member takes 
a measurement in the y-direction, the proof is similar to 
the above case. Hence, we hold that © V'^ = 0. 
That is, the previous assumption holds for t. For other 
cat states, all of the proofs are similar. 

Now, we consider two parties, A and B, that consist 
of k members and I members, respectively. Applying 
the previously described properties of the cat states, we 
obtain the Table HJ 



III. PROTOCOLS 

By means of the properties of the cat states, we de- 
scribe the QKD protocols between two groups. We first 
discuss how two groups proceed to share the secret key 
string. Next, by modifying several steps we show to be 
able to use the cat states efficiently. 



A. Protocol 

In this section, we present a QKD protocol between 
two groups, A and B, that consist fc (fc > 1) members 
and I {I > 2) members respectively. From here, with 
n = k + I we use the n-particle cat states and suppose 
that all members are arbitrarily ordered . For each shared 



bit, each group requires a member who collects the in- 
formation that has been distributed to all members. We 
call such members the 'collectors'. We present one of the 
methods to collect the information after description of 
the protocol. We presume that a collector chooses the 
used cat state and its information is possessed by only 
the collector. However, if secure classical channels among 
members in A exists, all members in A may share the in- 
formation on demand and then may choose the cat state 
together under their agreement. 

1. A collector in A randomly chooses an n-particle cat 
state out of 1^"^) and |A^) which is denoted by \S). 
Each particle of \S) is transmitted to each member 
of the two groups. 

2. Each member of the two groups randomly performs 
a measurement on his own particle either in the x- 
or y-direction, respectively. 

3. Each member in the two groups announces the ba- 
sis he used through the public channel, but not the 
result he obtained, . The two groups, A and B, ob- 
tain A/j^ and M^ , respectively. We call the member 
who finally announces the basis in each group the 
'last member' Here, the announcement of the last 
member in A should be followed by B's. 

4. Two groups, A and B, collect the outcomes to ob- 
tain and V^, respectively, and then obtain the 
shared bit My © and My © V^, respectively. 
The last member is never the collector and it will 
be discussed in Section IT V HI 

In order to obtain the key bit strings, the two 
groups should repeat the above steps a sufficient 
number of times. 

5. The two groups have a public discussion on a set 
of bits used to detect an eavesdropper's presence. 
For the test bits, A reveals and is followed by 
B. The reason will be treated in Section llV Bl 

6. A announces the cat states \S) that were chosen at 
first. For 1 5) = 1$^), HM^+My is even, then the 
shared bit will be kept, and otherwise, it will be 
discarded. In case \S) = |A^), if A^^ + is odd, 
it will be kept, and otherwise, it will be discarded. 
So the two groups keep it with probability i. 

With a set of test bits, the two groups make inde- 
pendently a test to detect the presence of eaves- 
droppers or the faulty bit string made by some 
members who behave wrong. 

If an error exists, all shared keys should be dis- 
carded, and the two groups should go back to Step 
1. Otherwise, they go on the next step. 

We suggest a method of obtaining (or V^). Here, 
we consider the first member as a collector and all op- 
erations are module 2. The collector chooses a random 
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TABLE I: Relations between outcomes of A and B. 
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FIG. 1; Obtaining V ^ V'^ ot V^: is the outcome of the 
i-th member, R is the random bit chosen by the collector, and 
m is the number of all members. 
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bit 'i?', adds it to his outcome, and sends the result to 
the second member. The second member adds his own 
outcome to the received one, and then gives it to the next 
member. This procedure is continued until the collector 
receives 7^^ (or V^) © R. After that, the collector finally 
takes 7'^(or V^), which is 7''^(or V^)®R®R (see Figure 

m 

If each member plays a role of the collector in rotation, 
all secret key string should be divided among all mem- 
bers with the same portion. If without rotation just one 
member always plays the collector, the protocol may be 
similar to the EPR protocol. However, even in such a 
case it is not the same as the EPR protocol in the aspect 
of requiring all members' approval. For instance, a mes- 
sage from another group is never decrypted without all 
members' agreement. 



B. Modified protocol with a chairperson 

In the previous protocol, each shared bit is discarded 
with probability i in Step 6. By modifying a method 
to perform the measurement in the previous protocol, 
the cat states can efficiently be used, i.e., the number 
of shared bits which are discarded can be decreased. In 
here, we assume that A: > 1 and / > 1. In the modi- 
fied protocol, a specific member, called the 'chairperson', 
keeps his own qubit intact until the other members an- 
nounce their information on the bases, and then takes 
his own basis dependent on \S) to prohibit the bit from 
being discarded. Because the chairperson needs informa- 
tion on 1 5*) , a collector in A should play the chairperson. 



We clearly remark that any member can play the chair- 
person if all members in A have the information on \S). 

To obtain a more efficient protocol, Step 3 and 4 in the 
previous protocol are modified as the foUowings. 

3'. Except the chairperson each member in the two 
groups randomly performs a measurement on his 
own particle either in x- or y-direction. 

4'. (a) Let A' be the group consisting of all members 
in A except the chairperson. All members in 
A' and B announce the measurement bases. 
Then the two groups get Ny and , respec- 
tively. Now, the collector in B never plays the 
last member. 

(b) Using the properties of cat states, the chair- 
person performs the measurement on his par- 
ticle depending on My + and | S) in or- 
der to prevent the shared bit from being dis- 
carded. 

We remark that the order of the basis announcements 
of two groups is not important in this protocol because 
Ny is determined by Ny and \S). 



IV. ANALYSIS OF SECURITY 

In this section, we analyze security of our protocols. 
Firstly, we discuss the case that several members have 
some wrong behavior. The second case treat an eaves- 
dropper who uses the intercept/resend strategy We 
again divide the second case into two cases according 
to the existence of members who give an eavesdropper 
some helps. Since the protocols should be secure even if 
all members in A share the information on \S) before the 
transmission of the particles in the first step, we assume 
that all members in A know the information. 



A. Members with wrong behaviors 

In this part, we discuss that when there are some mem- 
bers who behave wrong if two groups, particularly the 
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collectors, have the fauhy key strings then they can no- 
tice it from the test. 

To begin with, we treat a chairperson in the modified 
protocol. The measurement basis of the chairperson is 
exactly determined by the other members' ones and the 
state \S). Thus, he cannot change his basis arbitrarily, 
and can affect only his measurement result. From the 
above fact, we clearly obtain that he can have no more 
infiuence on the key information than the other members' 
one. Therefore, it suffices to consider the investigation of 
the other members' behavior. 

We think over all members' behavior except the col- 
lector's one. Because (or V^) is possessed by just a 
collector, any member except the collector cannot know 
it and hence cannot notice the shared bit. While some 
members are having behavior wrong, they cannot per- 
ceive what is the key bit made by their actions. More- 
over, before the test step they cannot perceive if errors 
will be detected in the test step and what are the bit 
stings used to test. Hence, the nonexistence of errors 
in sufficiently many test bits implies that almost all the 
key bits have correct correlations (or anti-correlations). 
Since the collectors only possess the shared bits, if the 
bits have the correct correlations (or anti-correlations) 
the two groups can share correct keys although there ex- 
ist some members to behave wrong. Therefore, if some 
members have a wrong effect on some of bit strings and 
if the two groups share the faulty bit strings, then they 
can find errors from sufficiently many test bits. 



B. Eavesdropper and conspirators in two groups 

Suppose that there are an eavesdropper and some 
members who assist her. Here, the eavesdropper and the 
members are called 'Eve' and 'conspirators', respectively. 
We first discuss that without assistance of conspirators 
Eve uses the intercept /resend strategy 0, and then dis- 
cuss that with some helps of conspirators Eve uses such 
strategy and the Z-particle entangled state to resend to 
B. Finally it is treated that under the same strategy 
Eve uses the n'-particle entangled state to resend to B 
(n' > /). 



1. No conspirator in intercept/res end strategy 

We consider that Eve uses the intercept /resend strat- 
egy, i.e.. Eve intercepts I particles travelling from A to B, 
performs a measurement on that particles, and resends 
an Z-particle fake state instead. Even if Eve chooses a 
fake state according to the measurement result and re- 
sends it, the two groups will detect an error in the shared 
bit with probability ^ for the original protocol, and with 
probability j for the modified protocol, respectively. The 
difference of probability comes from the nonexistence of 
the discarded bits in the modified protocol. Hence, the 
two groups can find errors for sufficiently many test bits. 



2. Using intercept /res end strategy: Eve and conspirators 

We consider that Eve adopts the intercept/resend 
strategy and has some conspirators in two groups. First 
conspirators should try to change A/'^^, Af^, or V^, to 
make no errors which are caused by Eve's eavesdropping. 
However, as stated in Section FlV Al it is impossible for 
any member except the collector to change and 
into what they want. In addition, any member except the 
last members can never change N'^ and Af^ into what 
they want. Thus, it suffices to treat the case that one 
more conspirator plays collectors (or last members) un- 
der assumption that the collector (or the last members) 
is played in rotation by each member. 

We assume that Eve eavesdrops with the probability 
A, < A < 1 using the intercept/resend strategy; A = 
means that Eve is not eavesdropping at all. Let be 
the number of conspirators in A and the number of 
conspirators in B. The two groups randomly select t 
shard bits in order to estimate the error rate. In the first 
protocol. Eve's eavesdropping then causes at least the 
following error rates according to and r^. 

In the case that Va — and > 1, we have 



At 1-- 



(9) 



Applying Eve's the measurement result on the inter- 
cepted particles, they can notice the values of Afy and 
to make no errors. For example, in the case that the 
measurement result is \^^), if A/'jf is even and A4^ 
is then there is no error. So, only having assistance 
of a collector and a last member in B at once, they can 
forbid errors to be caused. They have the chance with 
ratio ^''Y^ for one shared bit, i.e., the conspirators in B 
can play a collector and a last member simultaneously 
with the ratio. Hence Equation is obtained. 

We note that if a last member is a collector in B then 
the ratio becomes greater than ''''"^ . Thus, in the first 
protocol, a last member can never be the identical person 
with a collector during one key agreement. 

In the case > 1 and r;, = 0, we have 



7^>*(i-^) 
8 



(10) 



From the information on \S) and Eve's measurement re- 
sult they can find the suitable values for J\f.^ and 
which induce no error. Thus Eve and conspirators in A 
can change these values into the found suitable ones, only 
if the conspirators play the collector and the last member 
in A simultaneously. Hence Equation ifTUIl is found. It 
also becomes the reason that a last member in A never 
plays a collector. 

In the case Va > 1 and rf, > 1, we have 



1-a 



A*[(l--^)(l-^)] 



(11) 
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In this case, it is clear that they are able to use two 
methods discussed in the above paragraphs. In addition, 
they are able to change to make the shared bit be 
discarded, or change to make no error by means of 
information on My, Afy, and \S). To do so, they 
need assistance of any conspirator in A for \S) and either 
the collector or the last member in B. The rate that 
such cases occur in B is ^^-^^f^- Therefore, we obtain the 
Equation itTT)) . 

Furthermore, we perceive that Ny have to be an- 
nounced before . This is because if not. Eve is able 
to make no errors even with assistance of cither the col- 
lector or the last member in A without any conspirator 
in B. 

Now, we can notice that the probability in Equations 
© and (|10|) are not less than in Equation Hll|) . So it is 
sufficient to treat only Equation (|ll|l . 

For case of r?, = Z — 1, the probability in Equation Hll|) 
is and then this protocol is not secure, but it is not 
so in the modified protocol which will be treated later. 
Next, we consider the case, ra = fc — 1 and r;, = 1 — 2. 

l-(^-j >0.95. (12) 

if and only if 

Though Ta = fc — 1 and = ' — 2, their existence 
can be detected with probability 0.95 by choosing suffi- 
ciently many test bits which satisfy Xt > 135fcZ . From 
the equations we can know that by making test bits be 
increased, even for extreme cases, eavesdropping can also 
be detected with as high probability as the two groups 
need. However, the more many test bits are required to 
detect Eve's eavesdropping as the rate of existence of the 
conspirators increases. 

We remark that quite many test bits should be chosen 
in the case that Va = k — 1 and = I — 2. Hence, upon 
all members' deliberation for presumption of the number 
of members that can behave wrong, the number of test 
bits can effectively be modulated. 

We now consider the case that Ta and r?, are not more 
than a half of the number of all members in A and _B, 
respectively. The probability in Equation Hll|l is larger 
than 0.95 if and only if 

Then if ^ and are fixed, the probability increases as 
fc's value increases or Vs one decreases. From comparisons 
between Figures 12 and ^ and between Figures El and ^ 
we can certainly perceive the above facts. 

If X — 5' T — ^ ^^"^ A = 1, it follows from the 
condition I > 2 that the number of required test bits is 



FIG. 2: The probability in Equation Ullll when = 6, Z = 4 
and ra = 3. 




FIG. 3: The probability in Equation Him when k = 4,1 = 6 
and ra = 2. 




not less than 270. However, for fixed k and I the fewer 
number of test bits are required. The change of the error 
rate according to the number of test bits is exemplified 
in Tables ini for the case that ^ < 5 and ^ < i 

The probability in the modified protocol has a little 
difference from the primary protocol because there are 
no discarded bits and Af^ is determined by Af^ and \S). 
By removing the strategy to use Af^ we can easily get 
the following error rates of the modified protocol. 

In the case = 0, 




In the case > 1, 

l-(j) . (16) 

As in the case of the ffist protocol, we analyze just the 
case Ta > 1. The error rate in Equation has no 
connections with the values of and fc, and depends just 
on rb and I. For rb = Z — 1, we require only t that satisfies 
At > 10.4L For 1^ = i, it becomes Xt > 21.4. In the 
modified protocol, we can notice that two groups require 
remarkably smaller test bits than the first protocol, and 
furthermore errors can be detected from the test step 
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FIG. 4: The probability in Equation Ullll when k — 6,1 = 6 
and ra = 3. 




after A/j^ and are announced. Even though she mea- 
sures in the way, she should have the information on \S) 
to obtain V^, since is completely determined by \S) 
and A/j^. In order to take information on \S), she needs 
any conspirator in A. 

On the other hand, she wants to change or into 
the values she desires to prevent errors from occurring. 
Thus she needs collectors' assistance in A or B. Without 
any conspirators the test induces errors with probability 
J in the first protocol and probability ^ in the modi- 
fied protocol, respectively. For these facts Eve's strategy 
makes at least the following error rate in the first proto- 
col. 

In the case Va — 0, 



TABLE II: The probability in Equation ((TTJ when k 
I = 6 and = 3 



\ t 

rb\ 


20 


40 


60 


80 


100 


120 


140 


1 


0.6948 


0.9069 


0.9716 


0.9913 


0.9974 


0.9992 


0.9998 


2 


0.5894 


0.8314 


0.9308 


0.9716 


0.9883 


0.9952 


0.998 


3 


0.4476 


0.6948 


0.8314 


0.9069 


0.9486 


0.9716 


0.9843 



even in the cases / = 2 or, = fc — 1 and rf, = I — 1, 
while errors cannot be detected for the case in the first 
protocol. 

We remark that if just a collector can take the infor- 
mation on I S) or only one member plays the collector for 
all shared bits then a fewer test bits would be required. 



3. Intercept/res end strategy using entangled states 

We assume that Eve intercepts / particles travelling 
from A to B, and call this state 'the intercepted state'. 
She chooses an n'-particle cat state and resends I particles 
of this cat state to B {n' > I). We refer to the remainder 
(n' — Z)-particle state as 'the remainder state'. 

Before announcement oiNy {or JV^) the measurement 
of the intercepted state (or the remainder state) cannot 
give her the information on (or V^). So she should 
measure on the intercepted state and the remainder state, 



-'1 



At 



(17) 



In the case > 1, 



3\^*(i-t)(i-^) 
4. 



(18) 



In the modified protocol the error rates are similar to 
the first protocol, because Eve cannot have a different 
strategy. From these equations we can know that this 
strategy is not optimal to Eve. 



V. SUMMARY 

Applying the properties of cat states and the secret 
sharing ^ , we proposed two generalized QKD protocols 
between two groups and showed that the protocols are 
secure against an external eavesdropper using the inter- 
cept/resend strategy. The importance of these protocols 
is that any member in the two groups cannot obtain the 
secret key strings without cooperation, that is, the se- 
cret key strings can be obtained only under all member's 
approval. 

Acknowledgments S.C. acknowledges the support 
from Ministry of Planning and Budget and thanks S.Lee 
for discussions. D.P.C. acknowledges the support from 
Korea Research Foundation (KRF-2000-0150DP0031). 



[1] R. L. Rivest, A. Sharmir, and L. Adleman, Comm. Assoc. 

Compt. Mach., 21, 120 (1978). 
[2] C. H. Bennett and G. Brassard, in Proceedings of IEEE 

international Conference on Computers, Systems and 

signal Processing, Bangalore, India (IEEE, New York), 

pp. 175 - 179 (1984). 
[3] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 
[4] C. H. Bennett, G. Brassard and N. D. Mermin, Phys. 

Rev. Lett. 68, 557 (1992). 



[5] D. Greenberger, M. Horne, and A. Zeilinger, in Bell's 
Theorem, Quantum Theory, and Conceptions of the Uni- 
verse, edited by M. Kaftos(Kluwer Academic, Dordrecht, 
1989). 

[6] M. Hillery, V. Buzek, and A. Berthiaume, Phys. Rev. A 

59, 1829 (1999). 
[7] S. Bose, V. Vedral, and P. L. Knight, Phys. Rev. A 57, 

822 (1998). 

[8] H. F. Chau, e-print quant-ph/9901024 (1999); C. Cre- 



7 



pcau, D. Gottesman, and A. Smith ibid 0206138 (2002). [10] C. H. Bennett, F. Bcssctc, G. Brassard, L. Salvail, and 
[9] C. H. Bennett, G. Brassard, C. Crepeau, and J. Sniolin, J. Cryptology 5, 3 (1992). 

U.M.Maurer, IEEE Trans. 



